NOVELL FORUMS
Support Home Communities Home   FAQ Members List Calendar Search Today's Posts Mark Forums Read

 
 
LinkBack Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 23-Jul-2008, 06:26 AM
Junior Member
  
Join Date: May 2008
Posts: 1
NecUser is on a distinguished road
Default SLES 10 SP1/SP2 Winbind Issue with Trusted Domains
Dear all,

I encounter a very strange behaviour in the recent samba packages for SLES 10. We are integrating services using Winbind with our Active Directory infrastructure. This worked very well with the older versions from SLES 10, and still works with Samba 3.0.24-SerNet-SuSE bundled by SerNet (yes, that's too old to keep it for a real long time on my box).

The problem: With the recent versions of Samba, we are not able to authenticate user belonging to a trusted AD domain anymore. Users belonging to the default domain still resolve, nonetheless.

Some facts:

- Samba is "Version 3.0.28-0.4.3-1787-SUSE-CODE10"
- Winbind is integrated via nsswitch.conf:
Code:
 
passwd: compat winbind
group:  compat winbind
- Winbind is configured as the following (most relevant parts):
Code:
 
[global]
        workgroup               = OFFICE
        realm                   = OFFICE
        security                = ADS
        allow trusted domains   = yes
        encrypt passwords       = yes
        password server         = mypasswordserver.office
        client use spnego       = yes
        passdb expand explicit  = no

        os level                = 0
        local master            = no
        domain master           = no
        preferred master        = no
        dns proxy               = no

        idmap uid               = 10000-50000
        idmap gid               = 10000-50000
        winbind use default domain = yes
        winbind enum users      = yes
        winbind enum groups     = yes
        winbind nested groups   = yes
The problem:

- I can resolve users from the AD domain "office", i.e. by typing "id username".
- I can't resolve users from an AD child domain like "sub.office", i.e. by typing "id SUB\\username". The following messages appear in the log:
Code:
 
[2008/07/23 14:18:57, 1] nsswitch/winbindd_user.c:winbindd_dual_userinfo(152)
  error getting user info for sid S-1-5-21-1337654302-690922395-455318250-1179
- BUT:
Code:
 
# wbinfo -s S-1-5-21-1337654302-690922395-455318250-1179
SUB/username 1
- I also see "sub.office" as trusted:
Code:
 
# wbinfo -m
SUB
ANOTHER
OFFICE
Have there been any changes in Samba's configuration between 3.0.24 (and the former 3.0.28 in SLES 10 SP1) and the recent release? Is this a bug? In any case, is there an official fix (planned)?

Best regards,
Jens
Reply With Quote
 

« Previous Thread | Next Thread »

Tags
active directory, samba, winbind

Thread Tools
Display Modes
Threaded Mode Threaded Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -6. The time now is 09:04 PM.
Contact Us - NOVELL FORUMS - Archive - Privacy Statement - Top

© 2007 Novell, Inc. All Rights Reserved.

SEO by vBSEO 3.1.0